ultimate-jekyll-manager 1.1.2 → 1.1.3

package/CHANGELOG.md

@@ -14,6 +14,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+---
+## [1.1.3] - 2026-04-08
+### Security
+- Escape all remaining unescaped innerHTML values (formatDate, formatDateTime, formatIncidentStatus, formatTimeAgo, statusLabels, dataStatusMap, numeric values) for defense-in-depth
+- Add `https://` scheme validation to `window.open()` and `href` attributes for push notification URLs in calendar-events
+- Remove `style` from DOMPurify `ALLOWED_ATTR` in campaign email preview to prevent CSS-based data exfiltration
+
 ---
 ## [1.1.2] - 2026-04-08
 ### Fixed

package/dist/assets/js/pages/admin/calendar/calendar-events.js

@@ -141,7 +141,7 @@ export default class CalendarEvents {
         return;
       }
       const url = $notification.dataset.clickAction;
-      if (url) {
+      if (url && /^https?:\/\//i.test(url)) {
         window.open(url, '_blank', 'noopener,noreferrer');
       }
     });
@@ -688,10 +688,12 @@ export default class CalendarEvents {
 
     if (campaign.type === 'push') {
       if (settings.icon) {
-        html += `<tr><td class="text-muted">Icon</td><td><a href="${webManager.utilities().escapeHTML(settings.icon)}" target="_blank" rel="noopener">${webManager.utilities().escapeHTML(settings.icon)}</a></td></tr>`;
+        const iconUrl = /^https?:\/\//i.test(settings.icon) ? webManager.utilities().escapeHTML(settings.icon) : '#';
+        html += `<tr><td class="text-muted">Icon</td><td><a href="${iconUrl}" target="_blank" rel="noopener">${webManager.utilities().escapeHTML(settings.icon)}</a></td></tr>`;
       }
       if (settings.clickAction) {
-        html += `<tr><td class="text-muted">Click URL</td><td><a href="${webManager.utilities().escapeHTML(settings.clickAction)}" target="_blank" rel="noopener">${webManager.utilities().escapeHTML(settings.clickAction)}</a></td></tr>`;
+        const clickUrl = /^https?:\/\//i.test(settings.clickAction) ? webManager.utilities().escapeHTML(settings.clickAction) : '#';
+        html += `<tr><td class="text-muted">Click URL</td><td><a href="${clickUrl}" target="_blank" rel="noopener">${webManager.utilities().escapeHTML(settings.clickAction)}</a></td></tr>`;
       }
     }
 

package/dist/assets/js/pages/admin/calendar/campaign-preview.js

@@ -30,7 +30,7 @@ async function renderEmailPreview(formData) {
   const renderedContent = content
     ? DOMPurify.sanitize(md.render(content), {
         ALLOWED_TAGS: ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'br', 'hr', 'ul', 'ol', 'li', 'a', 'b', 'strong', 'i', 'em', 'u', 's', 'del', 'blockquote', 'pre', 'code', 'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'span', 'sup', 'sub'],
-        ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'width', 'height', 'class', 'style', 'target', 'rel'],
+        ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'width', 'height', 'class', 'target', 'rel'],
       })
     : '<p class="text-muted">No content yet</p>';
 

package/dist/assets/js/pages/admin/dashboard/index.js

@@ -327,7 +327,7 @@ async function loadRecentUsers() {
     $row.innerHTML = `
       <td class="text-truncate" style="max-width: 200px;">${webManager.utilities().escapeHTML(email)}</td>
       <td><span class="badge bg-body-secondary text-body">${webManager.utilities().escapeHTML(capitalize(plan))}</span></td>
-      <td class="text-muted small">${timeAgo}</td>
+      <td class="text-muted small">${webManager.utilities().escapeHTML(timeAgo)}</td>
     `;
     $tbody.appendChild($row);
   });
@@ -376,7 +376,7 @@ async function loadRecentOrders() {
       <td class="font-monospace small text-truncate" style="max-width: 120px;" title="${webManager.utilities().escapeHTML(orderId)}">${webManager.utilities().escapeHTML(orderId)}</td>
       <td><span class="badge bg-body-secondary text-body">${webManager.utilities().escapeHTML(capitalize(product))}</span></td>
       <td class="small">${webManager.utilities().escapeHTML(capitalize(processor))}</td>
-      <td class="text-muted small">${timeAgo}</td>
+      <td class="text-muted small">${webManager.utilities().escapeHTML(timeAgo)}</td>
     `;
     $tbody.appendChild($row);
   });

package/dist/assets/js/pages/admin/firebase/index.js

@@ -408,7 +408,7 @@ function renderCellValue(value) {
   if (typeof value === 'number') {
     // Check if it looks like a UNIX timestamp (reasonable range)
     if (value > 1000000000 && value < 10000000000) {
-      return `<span title="${value}">${new Date(value * 1000).toLocaleDateString()}</span>`;
+      return `<span title="${webManager.utilities().escapeHTML(String(value))}">${webManager.utilities().escapeHTML(new Date(value * 1000).toLocaleDateString())}</span>`;
     }
     return webManager.utilities().escapeHTML(value.toLocaleString());
   }

package/dist/assets/js/pages/status/index.js

@@ -135,10 +135,10 @@ function showUptimeTooltip(e, $bar, index, totalDays) {
   });
 
   $tooltip.innerHTML = `
-    <div class="fw-semibold mb-1">${dateStr}</div>
+    <div class="fw-semibold mb-1">${webManager.utilities().escapeHTML(dateStr)}</div>
     <div class="d-flex align-items-center gap-2">
       <span class="status-dot rounded-circle ${config.statusClasses[status]}"></span>
-      <span>${config.statusLabels[status]}</span>
+      <span>${webManager.utilities().escapeHTML(config.statusLabels[status])}</span>
     </div>
     <div class="text-muted small">Uptime: ${webManager.utilities().escapeHTML(uptime)}</div>
   `;
@@ -531,7 +531,7 @@ function updateMaintenance(maintenanceItems) {
       <div class="card-body p-4">
         <div class="d-flex justify-content-between align-items-start mb-2">
           <h4 class="h5 fw-semibold mb-0">${webManager.utilities().escapeHTML(item.title)}</h4>
-          <span class="text-muted small">${formatDate(item.scheduled_for)}</span>
+          <span class="text-muted small">${webManager.utilities().escapeHTML(formatDate(item.scheduled_for))}</span>
         </div>
         <p class="text-muted mb-0">${webManager.utilities().escapeHTML(item.description)}</p>
         ${item.affected_services ? `
@@ -581,15 +581,15 @@ function updateIncidents(incidents) {
         <div class="d-flex justify-content-between align-items-start mb-2 flex-wrap gap-2">
           <h4 class="h5 fw-semibold mb-0">${webManager.utilities().escapeHTML(incident.title)}</h4>
           <div class="d-flex align-items-center gap-2">
-            <span class="badge ${getIncidentBadgeClasses(incident.status)}">${formatIncidentStatus(incident.status)}</span>
-            <span class="text-muted small">${formatDate(incident.created_at)}</span>
+            <span class="badge ${getIncidentBadgeClasses(incident.status)}">${webManager.utilities().escapeHTML(formatIncidentStatus(incident.status))}</span>
+            <span class="text-muted small">${webManager.utilities().escapeHTML(formatDate(incident.created_at))}</span>
           </div>
         </div>
         ${incident.updates && incident.updates.length > 0 ? `
           <div class="incident-timeline mt-3">
             ${incident.updates.map(update => `
-              <div class="timeline-item pb-3" data-status="${config.dataStatusMap[update.status] || ''}">
-                <div class="small text-muted mb-1">${formatDateTime(update.created_at)}</div>
+              <div class="timeline-item pb-3" data-status="${webManager.utilities().escapeHTML(config.dataStatusMap[update.status] || '')}">
+                <div class="small text-muted mb-1">${webManager.utilities().escapeHTML(formatDateTime(update.created_at))}</div>
                 <div class="small">${webManager.utilities().escapeHTML(update.message)}</div>
               </div>
             `).join('')}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ultimate-jekyll-manager",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "Ultimate Jekyll dependency manager",
   "main": "dist/index.js",
   "exports": {